Session ID management
am 12.06.2007 08:05:01 von Anoop
Hello,
I am developing a Simple ASP Application with a Login page. I
want to know how session ID can be generated after User has authenticated
instead of generation along with the Login page request. Also Session ID must
be unique each time the user logs in. This is required so that Session
Hijacking and Session Fixation could be prevented. Should I have to use other
process instead of General ASP Session Management. Please Help
Thank you
Re: Session ID management
am 12.06.2007 10:12:03 von Anthony Jones
"anoop" wrote in message
news:59E3F387-4B0E-47BD-82CB-A581C217C211@microsoft.com...
> Hello,
> I am developing a Simple ASP Application with a Login page. I
> want to know how session ID can be generated after User has authenticated
> instead of generation along with the Login page request. Also Session ID
must
> be unique each time the user logs in. This is required so that Session
> Hijacking and Session Fixation could be prevented. Should I have to use
other
> process instead of General ASP Session Management. Please Help
>
> Thank you
Bear in mind that simply assigning a session an ID doesn't make the session
authentic.
You can store some value in the session object after successful
authentication which your other pages check before allowing other activity.
A simple solution is to use https for the entire session. The cost is a
busy site can create a heavy load on the server and a server can only
support one https website (no host header site selection).
I can't see how ASPs standard session management is vunerable to a fixation
attack.
As to a hijacking that would require a man in the middle or some locally
installed network sniffing. In that case anything sent in the clear is
vunerable. If that is a serious concern then only https provides serious
level of protection.
If https is not doable yet your still seriously concerned about session
hijacking you could use your own cookie to hold unique value which changes
each request. All you pages would have to check the cookie value with the
expected value stored in the session then create a new value for the cookie
and store that in the session. In that case an attacker would have to have
the latest response in order to hijack and such hijacking is less covert
since it breaks the existing client activity.
However the above doesn't protect from clever man-in-the-middle attacks, is
complex to implement and can make the normal use of the application fragile.
My guess is ultimately all you really are after is in my first paragraph ;)
Re: Session ID management
am 12.06.2007 13:58:08 von Egbert Nierop
"anoop" schreef in bericht
news:59E3F387-4B0E-47BD-82CB-A581C217C211@microsoft.com...
> Hello,
> I am developing a Simple ASP Application with a Login page. I
> want to know how session ID can be generated after User has authenticated
> instead of generation along with the Login page request. Also Session ID
> must
> be unique each time the user logs in. This is required so that Session
> Hijacking and Session Fixation could be prevented. Should I have to use
> other
> process instead of General ASP Session Management. Please Help
Sure ;)
All about session management, ok, not all, but a lot about it below.
If you really want to be sure that a sessioncookie is not hijacked, you
should use SSL or use regenerate a new cookie at each request, so that each
session request, must chain to the previous request.
ISP Session supports that, and it requires less CPU stress than using sec
SSL.
--
compatible web farm Session replacement for Asp and Asp.Net
http://www.nieropwebconsult.nl/asp_session_manager.htm